Page MenuHomeFreeBSD

linuxkpi: Fix __sg_alloc_table_from_pages loop

Authored by on Apr 17 2023, 8:17 PM.
Referenced Files
Unknown Object (File)
Fri, Jun 21, 3:30 PM
Unknown Object (File)
Sat, Jun 15, 1:36 AM
Unknown Object (File)
May 23 2024, 12:11 PM
Unknown Object (File)
May 19 2024, 7:51 PM
Unknown Object (File)
May 12 2024, 4:59 PM
Unknown Object (File)
Apr 22 2024, 2:29 PM
Unknown Object (File)
Dec 20 2023, 7:22 AM
Unknown Object (File)
Dec 10 2023, 5:19 PM



Commit 3e0856b63fe0e375a0951e05c2ef98bb2ebd9421 updated
__sg_alloc_table_from_pages to use the same API as linux, but modified
the loop condition when going over the pages in a sg list. Part of the
change included moving the sg_next call out of the for loop and into the
body, which causes an off by one error when traversing the list. Since
sg_next is called before the loop body it will skip the first element
and read one past the last element.

This caused panics when running PRIME with nvidia-drm as the off-by-one
issue causes a NULL dereference.

Diff Detail

rG FreeBSD src repository
Lint Not Applicable
Tests Not Applicable

Event Timeline

bz added reviewers: linuxkpi, manu, dumbbell.
bz added a subscriber: bz.

Good catch and likely something which may have been bugging me as well on other work.


I wonder at the same time why we switched from using for_each_sg() in first place as that would have avoided the problem, but I am probably too tired to see that...

This revision is now accepted and ready to land.Apr 17 2023, 8:36 PM

I think the intention was to add a check of the value of s, but I thought it looked doable to do that while still using for_each_sg(). I'm not 100% sure either.

This revision was automatically updated to reflect the committed changes.